TL;DR: PAM best practices now extend beyond admin accounts to service accounts, API keys, third-party access and CI/CD identities, because many incidents begin in unclassified privileged credentials; Soffid’s article argues for visibility, JIT access, session control and automation. The real governance test is whether privileged access can be reviewed, rotated and revoked fast enough to matter.
NHIMG editorial — based on content published by Soffid: PAM best practices for protecting critical accounts without operational friction
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern privileged access for service accounts and API keys?
A: Security teams should place service accounts and API keys under the same privileged governance model used for human administrators, then add lifecycle ownership, rotation and session visibility.
Q: Why do standing privileges create so much risk in PAM programmes?
A: Standing privileges create risk because they allow access to persist long enough for attackers to reuse it, defenders to miss it, and normal users to forget it exists.
Q: What do organisations get wrong about PAM visibility?
A: They often treat visibility as a reporting exercise instead of a control prerequisite.
Practitioner guidance
- Inventory every privileged identity type Create a single inventory that includes administrator accounts, service accounts, API keys, shared accounts, third-party access and CI/CD identities.
- Make temporary elevation the default Replace persistent privileged access with task-scoped elevation wherever the business process allows it.
- Automate rotation and revocation workflows Use workflow automation to rotate credentials after use, revoke stale access during offboarding, and update linked entitlements without manual tickets.
What's in the full article
Soffid's full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step view of how Soffid recommends identifying privileged accounts across administrators, service accounts, APIs and CI/CD identities.
- Operational guidance on applying MFA, vaulting, JIT access and Zero Trust together without creating avoidable user friction.
- The article's own view on how PAM automation reduces manual errors across rotation, approvals and session monitoring.
- Questions the vendor says CISOs should ask when evaluating whether PAM and IGA are integrated in practice.
👉 Read Soffid's PAM best practices guide for critical accounts →
PAM best practices for critical accounts: what teams miss?
Explore further
Privileged access governance must now include non-human and delegated identities. The article correctly broadens PAM beyond admin users, because service accounts, API keys, shared credentials and pipeline identities are now part of the privileged estate. That aligns with OWASP-NHI and NIST CSF thinking: if a credential can reach critical systems, it belongs in privileged governance. The practitioner conclusion is simple: privileged access reviews are incomplete when they stop at human administrator accounts.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when privileged access is not revoked on time?
A: Accountability should sit with the system or application owner, supported by identity governance and PAM operations, because revocation is a lifecycle control not a one-off security task. If the business cannot identify the owner of a privileged credential, it has already failed the governance test.
👉 Read our full editorial: PAM best practices for critical accounts without operational drag